Bug Description

After a user got his accounts merged, he lost the ability to login to any site, because he had 2F enabled on his account and set to be required for all sites. As a side-effect of the merge, his LP account got severed from his SSO account, therefore causing SSO team membership verification to fail.

Since SSO uses team membership to enable/disable the 2F feature, it was failing to present the user with the 2F aspects during login. Since his account required 2F for all sites, he couldn't login to any site.

This issue was fixed by

1. Disable 2F on his account temporarily so he could log into LP
2. User logged into LP, which caused his LP<->SSO link to be reestablished
3. User re-enabled 2F for all sites on his SSO profile
4. User confirmed he could still login to sites and 2F was again working.

Nevertheless, SSO should not block logins (even if they require 2F if the 2F feature is disabled for a user), which still needs to be fixed properly in SSO.

I hit something very similar to this today. Logging in to Ubuntu SSO via a private browser window to login to launchpad I get a 2fa requirement. My 2fa was previously connected to my yubikey and now defunct @canonical.com address. Fortunately I was able to dig up my old yubikey that I used for authentication back in the day.

Logging directly into login.ubuntu.com also requires 2fa, but does not show the "Authentication Devices tab" for configuration.

Actually ignore my previous post. As I was added to sso-2f-testers in the middle of looking into what was going on. So I'll redescribe what I originally reported on ubuntu-devel. Here's a modified version of what I reported on irc.

------
So I discovered today that my ubuntu one login has 2fa enabled when enabling livepatch via "software & updates", but was not required when logging in directly via login.ubuntu.com or via launchpad OpenID. I suspect that has something to do with me no longer being at Canonical. Additionally when logging in directly to login.ubuntu.com *(with only user/pass), I do not see 2fa configuration tabs.

Once I was added to sso-2f-testers it seems that 2fa was re-enabled when logging in directly to login.ubuntu.com, and the configuration tab became visible again.